How To Set Up Multiple SSL Certificates on One IP with Nginx on Ubuntu 12.04

You can host multiple SSL certificates on one IP Address using Server Name Identification (SNI).

About SNI

Although hosting several sites on a single virtual private server is not a challenge with the use of virtual hosts, providing separate SSL certificates for each site traditionally required separate IP addresses. The process has recently been simplified through the use of Server Name Indication (SNI), which sends a site visitor the certificate that matches the requested server name.

Note:

SNI can only be used for serving multiple SSL sites from your web server and is not likely to work at all on other daemons, such as mail servers, etc. There are also a small percentage of older web browsers that may still give certificate errors. Wikipedia has an updated list of software that does and does not support this TLS extension.

Set Up

SNI does need to have registered domain names in order to serve the certificates.

The steps in this tutorial require the user to have root privileges. You can see how to set that up in the Initial Server Setup Tutorial in steps 3 and 4.

Nginx should already be installed and running on your VPS.

If this is not the case, you can download it with this command:

sudo apt-get install nginx

You can make sure that SNI is enabled on your server:

nginx -V

After displaying the nginx version, you should see the line:

TLS SNI support enabled

Step One—Create Your SSL Certificate Directories

For the purposes of this tutorial, both certificates will be self-signed. We will be working to create a server that hosts both example.com and example.org.

The SSL certificate has 2 parts main parts: the certificate itself and the public key. To make all of the relevant files easy to access, we should create a directory for each virtual host’s SSL certificate.

mkdir -p /etc/nginx/ssl/example.com

mkdir -p /etc/nginx/ssl/example.org

Step Two—Create the Server Key and Certificate Signing Request

First, create the SSL certificate for example.com.

Switch into the proper directory:

cd /etc/nginx/ssl/example.com

Start by creating the private server key. During this process, you will be asked to enter a specific passphrase. Be sure to note this phrase carefully, if you forget it or lose it, you will not be able to access the certificate.

sudo openssl genrsa -des3 -out server.key 1024

Follow up by creating a certificate signing request:

sudo openssl req -new -key server.key -out server.csr

This command will prompt terminal to display a lists of fields that need to be filled in.

The most important line is "Common Name". Enter your official domain name here or, if you don't have one yet, your site's IP address. Leave the challenge password and optional company name blank.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:NYC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Awesome Inc
Organizational Unit Name (eg, section) []:Dept of Merriment
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:webmaster@awesomeinc.com

Step Three—Remove the Passphrase

We are almost finished creating the certificate. However, it would serve us to remove the passphrase. Although having the passphrase in place does provide heightened security, the issue starts when one tries to reload nginx. In the event that nginx crashes or needs to reboot, you will always have to re-enter your passphrase to get your entire web server back online.

You should now be able to access both sites, each with its own domain name and SSL certificate.

You can view the sites both with and without the signed SSL certificates by typing in just the domain (eg. example.com or example.org) or the domain with the https prefix (https://example.com or https://example.org).